Re: Quotes from GPG users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/11/13 15:52, Ben McGinnes wrote: Now, for some new quotes Thanks Ben, I couldn't have asked for more :) Don't worry about official endorsement from the Pirate Party AU - your quote communicate GPG's importance sufficiently. Best, Sam. - -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlJ6MiwACgkQ1bR1Itj7YQXMTAEAgFLrka0zg5O1PSYY3payscWI /G7aRd8EO0Zx+seFTN0A/AhmH+E8OcNtUnw/5E7U2Ar7qKJ7SFrwbFHNsjnFhgDS =yIJl -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/11/13 22:01, Marko Randjelovic wrote: I send five variants (but the best is all of them :) ): Thanks Marko! Is it OK if I rephrase two of them like this?: I use GnuPG because I was taught it's a sin to open other people's letters I use GnuPG because ?I won't trade my independence for anything Best, Sam. - -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlJ6M0wACgkQ1bR1Itj7YQVtrAEAvPu9c1aAfOwrI66a1tq7ipW3 OBS5jT4gwUQ3qlTnlUIA/Rii6TwlkNtbmvvyKUiD0/804iqChK6AF6rkuToKneR2 =LI+x -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
MFPA == MFPA expires2...@ymail.com writes: Hi Hi On Monday 4 November 2013 at 10:43:43 PM, in mid:87habrrdnk@mat.ucm.es, Uwe Brauer wrote: - from my own experience I am convinced that smime is much easierthan gpg[2] for reasons I am not going to repeat here. (I got 7out of 10 of my friends/colleagues to use smime, but 0 of 10 to use gpg.) Depending on the software people are using. I'm willing to accept that there are probably more people for whom S/MIME is easier to use. Well take for example iOs: using pgp is a sort of a nightmare. The reasons why I think smime is easier to use for the average user are: smime is already installed in most MUA (so no additional software+plugin) keypairs are generated and signed by the trust center. Public keys are automatically embedded in the signatures. The email app I am using to write this message can (almost trivially) generate and use self-signed certificates for the email accounts it has configured. The difficulty is getting other people to persuade their MUA to accept them. Aha I see you use the BAT, an email program I have not seen in use, for almost a decade. Good and bad news. Gpgsm allowed my to use your public keys after having fireing up a series of questions, iOs also, (if you don't mind I send you to test messages later privately) However thunderbird refuses to use yoru public key claiming it cannot be trusted. So I am afraid the issue is to persuade the not only the people but also the software. I think I mentioned in one of my other postings that I was using hyperbole to make my point. I'm not quite _that_ paranoid, but I believe in exercising a healthy skepticism. Ok I have seen this now. regards Uwe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: BitMail.sf.net v 0.6 - Secure Encrypting Email Client
can BitMail.sf.net as a p2p email tool for encrypted Email (and hybrid with IMAP-Email) be regarded as a reference model for research to create a secure Email Client? as it uses both, gnupg and openssl! I would suggest figuring out very precisely what you intend by secure. Once you have that definition, look at the BitMail project and see if their notion of secure has a lot in common with your notion. If they do, then it's time to take a look at the design of BitMail and its implementation. Look for areas where they do not closely follow their definition of 'security'. Every nontrivial program has some of these areas. Once you have a good idea of how BitMail works, then it will be time to learn from their mistakes. In the process you will undoubtedly make mistakes of your own. Don't be disheartened: the only hackers who have not made completely humiliating errors are ones who have not been programming long. The trick is to never make the same one twice. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
(Sorry, failed again to reply to the list, so you probably have this message twice again.) On Tue, Nov 05, 2013 at 05:32:38PM -0800, Paul R. Ramer wrote: On Tuesday 5 November 2013 at 11:03:19 PM, in mid:52797937.5090...@gmail.com, Paul R. Ramer wrote: But if you sign it with an exportable signature, you are saying to others that you have verified the key. In the absence of a published keysigning policy, isn't that an assumption? Signing is to be an attestation to the validity of the key. [...] Well, thus my reasoning (last message) allows me to prove that I can have the same level of confidence in Key 2 than in Key 1, even though I have not done again all the steps of verification. Thus, signing being an attestation of the validity of the key (I assume you meant of the confidence in the validity of the key), why should one sign Key 1 and not Key 2 ? For the same reason, signing (and exporting signatures) based on people I blindly trust is not an issue to me. (I know, I just released the troll.) Because if I blindly trust these persons, I believe with absolute certainty that the person is who (s)he says (s)he is. And so I can announce this certainty by signing the key. (I use the term blindly to mean even more than the technical ultimately, as this one could be expressed using trust signatures. Just really blindly trust, as when you would let them to decide your fate, knowing they could be better off by sending you to hell.) Of course, if I sign the key only because it is validated through technical means, not by hand-checking for a signature from a blindly trusted owner, I would never sign that other key. The fact that others could get just the same effect by twisting their WoT parameters is not an issue to me. Firstly, because there are few trust signatures (according to best practices I read, that said trust signatures are mainly made for closed-system environments), so WoT rarely expands outwards of one signature by someone you know. But mostly because signing is an attestion of your belief someone is who (s)he is. Thus, if you believe someone is who the UID states (s)he is as much as if you met him/her in person and followed the whole verification process, I would not mind your exporting signatures of the key. And saying that it allows the blindly trusted person to force you to see a key as validated through three persons you marginally trust is meaning nothing to me. Indeed, these three persons are all asserting they believe with certainty that the key owner is who (s)he says (s)he is. That all used the same information source is just commonly done. Indeed, how do you check an identity ? * Name : Passport. Any government could make a passport as wanted, not even speaking about forgery. Thus everyone you know who signed some UID probably based their verification work on a single passport. * Comment : Depends of the comment. For CEO company X, it is probably based on public archives. Them referring to a person by his/her name, any forged passport also means forged name. * Email : Probably a mere exchange of emails. Thus, anyone doing MitM could intercept the exchange and reply so as to make you validate the key, and even without MitM, the email provider could do as well. Every time, the certainty of the UID element is heavily dependent on other's work. Thus, why should we refuse to base our work on other's signatures ? (*assuming* you believe in the UID validity as much as you would have done using full verification) I just found a counter-example : in case the message (signed by Key 1) telling owner of Key 1 is owner of Key 2 is signed by a subkey, which might have been compromised. However, I assumed such a message would only be sent signed using the master key, as it must be totally relied upon. Thus, anyone able to forge such a message would be able to forge any message using the master key, and especially to add new encryption subkeys... Thus, such a scenario is not a threat IMHO. Cheers, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Wednesday 6 November 2013 at 11:42:49 AM, in mid:87txfpg3ie@gilgamesch.quim.ucm.es, Uwe Brauer wrote: Well take for example iOs: using pgp is a sort of a nightmare. So I have heard. The reasons why I think smime is easier to use for the average user are: smime is already installed in most MUA (so no additional software+plugin) But all the hordes who use webmail are pretty-much still out of luck, though. (With certain exceptions, such as hushmail.) keypairs are generated and signed by the trust center. I don't know about the trust centre. The Bat! gives me the choice of its own internal implementation or Microsoft Crypto-API, which is part of Windows. (The Bat! and Windows are closed-source proprietary products that we probably shouldn't discuss too much on this list.) Public keys are automatically embedded in the signatures. That is simpler and avoids the web-bug-like effect you have if you choose to auto-retrieve OpenPGP keys from keyservers for new contacts. But must waste a lot of bandwidth between regular correspondents. Aha I see you use the BAT, an email program I have not seen in use, for almost a decade. I have used it myself for over nine years. Good and bad news. Gpgsm allowed my to use your public keys after having fireing up a series of questions, iOs also, Good. (if you don't mind I send you to test messages later privately) I don't mind. However thunderbird refuses to use yoru public key claiming it cannot be trusted. Fair enough. Using its internal implementation, The Bat! accepts signatures from the S/MIME certificate I created last night (because I added it to the trusted root CA address book) and does not accept your S/MIME signature (because Comodo's root certificate is not in the trusted root CA address book - but adding it would be just a few clicks). MS Crypto-API is fine with Comodo's root cert, but says my certificate has an invalid signature algorithm specified. I just searched and found [1] about Thunderbird, which says you can import a copy of other people's self-signed S/MIME certificate from a .cer file into your Authorities tab. So much for being easier because keys are automatically embedded in the signatures. So I am afraid the issue is to persuade the not only the people but also the software. As I said, getting other people to persuade their MUA to accept it. [1] http://kb.mozillazine.org/Installing_an_SMIME_certificate. - -- Best regards MFPAmailto:expires2...@ymail.com Courage is not the absence of fear, but the mastery of it. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ60MxXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pfXkEALs5FK+Llmn4wqCq+GUO0+qJ+TjHyHoEFd2R 3RRCHLG1ZcwhP0tOAX9Xo5439N16M31x6FB5u6CglI4RNcMvHK/FwqE1Y6e0I3SR WLqUiX0Oq+JMKQnRBW1DaIGGCIB4uqPQ6DwFKikcA4p4fUSoXpRaKJA7Sar4Sj32 6o35st6x =AcqD -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users